logging TLS SNI hostname
Aki Tuomi
aki.tuomi at dovecot.fi
Thu Oct 20 10:44:47 UTC 2016
On 18.10.2016 14:16, Arkadiusz Miśkiewicz wrote:
> On Monday 17 of October 2016, KT Walrus wrote:
>>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Miśkiewicz <arekm at maven.pl> wrote:
>>>
>>> On Monday 30 of May 2016, Arkadiusz Miśkiewicz wrote:
>>>> Is there a way to log SNI hostname used in TLS session? Info is there in
>>>> SSL_CTX_set_tlsext_servername_callback, dovecot copies it to
>>>> ssl_io->host.
>>>>
>>>> Unfortunately I don't see it expanded to any variables (
>>>> http://wiki.dovecot.org/Variables ). Please consider this to be a
>>>> feature request.
>>>>
>>>> The goal is to be able to see which hostname client used like:
>>>>
>>>> May 30 08:21:19 xxx dovecot: pop3-login: Login: user=<abc>,
>>>> method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=17135, TLS,
>>>> SNI=pop3.somehost.org, session=<hfS9Qwk03sBTBnrN>
>>> Dear dovecot team, would be possible to add such variable ^^^^^ ?
>>>
>>> That would be neat feature because server operator would know what
>>> hostname client uses to connect to server (which is really usefull in
>>> case of many hostnames pointing to single IP).
>> I’d love to be able to use this SNI domain name in the Dovecot IMAP proxy
>> for use in the SQL password_query. This would allow the proxy to support
>> multiple IMAP server domains each with their own set of users. And, it
>> would save me money by using only the IP of the proxy for all the IMAP
>> server domains instead of giving each domain a unique IP.
> It only needs to be carefuly implemented on dovecot side as TLS SNI hostname
> is information passed directly by client.
>
> So some fqdn name validation would need to happen in case if client has
> malicious intents.
>
>> Kevin
>
Hi!
I wonder if this would be of any help? It provides %{local_name}
passdb/userdb variable, you can use it for some logging too...
https://github.com/dovecot/core/commit/fe791e96fdf796f7d8997ee0515b163dc5eddd72
Aki
More information about the dovecot
mailing list